Tales from the web scanning front: Don’t eat the entire buffet at once

One of the more common problems that we see is customers trying to bite off more of their application infrastructure at once than they can chew. A certain amount of planning will yield better, more digestible results with substantially less indigestion.

Dropping all of acme.com into your web scanner when there are 100 applications with 50,000 pages across 60 subdomains is likely not an optimal strategy. Here are some considerations:

Scan time: Assuming reasonable connectivity and application server horsepower, a scan of a medium-sized application can take 3- 12 hours. Scanning 60 applications at once will take a week or more before the scan completes and you can start working on the results.

Information Segmentation: Most enterprises will have more than one development team. It’s not the best policy to ship detailed information about all of your vulnerabilities to people who don’t need to know it. Also, it’s much easier to have one report per application that you can just send to the team coding it so that they can fix just the vulnerabilities listed in the report.

Report Size: A scan that large will create a report that will be immense if you have any significant number of findings. Even if your vendor segments and paginates the report, it is going to be harder to navigate than a series of smaller reports.

Re-Scanning: Once the developers start remediating vulnerabilities, you will be asked to re-scan to give a clean bill of health for each application. You don’t want to have to wait the week or more an enterprise scan takes to update the development team.

The one downside to all of this is that you will have to kick off and monitor more scans. If you have a large number of applications and this is likely to be a logistical headache, you should consider an enterprise portal to schedule and monitor scans and deliver scan results (full disclosure, we offer such a tool).

As in most endeavors, a bit of planning goes a long way in making life easier. Giving some thought to breaking up your application scanning will make your application scanning program a lot easier and more effective.